5 Reasons to Upgrade Your Web Authentication to WebAuthn


By Jerrod Chong, Chief Solutions Officer, Yubico

As organisations all over the world wake up to the security dangers of solely relying on passwords, alternative security systems have taken centre stage. Over the years, authentication has matured beyond passwords with the introduction of a multitude of two-factor authentication methods but more recently, we’re seeing the proliferation of passwordless logins with FIDO2 and WebAuthn.

WebAuthn is the new global standard for web authentication and is best in class for protecting online user accounts while delivering a seamless user experience. It supports standard two-factor authentication flows, but it also supports several authentication methods that do not rely on passwords including external hardware security keys or biometric methods built into a user’s device.

Whilst these methods all include a different approach to passwordless authentication, they have one thing in common: security is heightened by replacing usernames and passwords with strong hardware-based authentication using public key cryptography.

For those curious about the benefits of passwordless logins (aside from not having passwords), here are five compelling reasons you may want to consider upgrading to WebAuthn authentication.

  1. Widespread Accessibility

One of the key differentiators of WebAuthn, is the widespread acceptance and adoption of the technology across major browsers, operating systems and devices. To date, Microsoft Edge, Mozilla Firefox, Microsoft Accounts, Brave browser, Google Chrome and Google Android have already added support for WebAuthn, and Apple most recently announced WebAuthn support in Safari Technology Preview Release 83.

Additionally, the growing availability of built-in authenticators on computers and phones is providing users with new options for authentication. For service providers, this enables the ability to offer fast, convenient and secure authentication options for all kinds of users, regardless of what kind of device or operating system they are using.

  1. Improved Security for Customers & the Business

WebAuthn replaces weak password-based login or knowledge-based answers recovery with strong public key cryptography with origin checking to prevent phishing. By making strong authentication the baseline for using built-in and external hardware authenticators, users are protected from account takeovers.

recent study by Google reviewed more than 350,000 wide-scale and targeted attacks, and showed that security keys were the most effective at stopping account takeovers. Not only does the elimination of password-based login protect customers from the threats of credential theft and phishing, but it also relieves organisations from the vulnerabilities associated with storing and protecting millions of user credentials.

  1. Improved Customer Experience & Brand Loyalty

The average consumer tries to keep track of over 14 different passwords across all their websites and services. Business users are estimated to be responsible for memorising and using an even greater number of passwords, reaching up to as many as 191. The sheer number of passwords required for daily digital activities inevitably results in forgotten passwords, password resets, or at the worst, account takeovers due to weak or reused passwords. As a result, passwords degrade customer experiences, reduce brand loyalty, and contribute to lost revenue.

Passwordless login with WebAuthn provides an experience that is faster and more secure than usernames and passwords, transforming the online user experience into the familiar split-second convenience of using an ATM card. WebAuthn also enables users lacking cellular access to still authenticate when they typically might not be able to with authentication methods like one-time codes sent to mobile devices via text messages.

  1. Lower Operational Costs

When users forget their passwords, they often end up calling help desks or support centres, consuming valuable time from support staff. In fact, Gartner estimates that password reset enquiries account for 20 to 50 percent of all help desk calls, which can cost large companies between AU$7 million and AU$30 million annually.

WebAuthn enables support and IT departments, including service desks and call centres, to be free from the operational overhead incurred from having to create, store, cycle, and reset passwords. It can simplify user on-boarding and given that password resets currently represent the number one IT support cost, passwordless login promises to significantly reduce workloads in IT call centres where agents today spend considerable time setting and resetting user passwords.

  1. Simple & Flexible Integration Options

WebAuthn introduces the option for strong single-factor, two-factor, or multi-factor authentication. With this expanded choice of authentication flows, developers choosing to add WebAuthn support will have the option to select the authentication model that best suits their use cases and customers. This is specifically useful for organisations that require a higher level of authentication security or who may prefer a layered approach (ex: a PIN, biometric or gesture for additional protection) for certain in-app actions like changing their personal information or transferring a large sum of money.

Does this mean we are on the brink of a universe free of passwords? Not entirely. We have laid the framework with the creation and standardization of WebAuthn, but now it’s time for adoption at scale. With a growing list of strong authentication options supported by WebAuthn, and the ability to solve use cases across device types or operating systems, it is possible to enable widespread support for simple, strong and passwordless authentication methods. Now is the time for companies to add WebAuthn to their services.